php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68226 FULLY UNABLE TO USE LOAD DATA LOCAL Startement IN Web Production Enviroments
Submitted: 2014-10-14 10:57 UTC Modified: 2014-10-14 15:20 UTC
Votes:16
Avg. Score:4.4 ± 0.9
Reproduced:15 of 15 (100.0%)
Same Version:8 (53.3%)
Same OS:4 (26.7%)
From: georgy dot garnov at gmail dot com Assigned: mysql
Status: Assigned Package: PDO MySQL
PHP Version: 5.6.1 OS: ALL
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-10-14 10:57 UTC] georgy dot garnov at gmail dot com
Description:
------------
If you set open_basedir in your php.ini or use php as fcgi you will always got "The used command is not allowed with this MySQL version" error.
You can use new PDO($dsn,$login,$password, array(PDO::MYSQL_ATTR_LOCAL_INFILE => true)) but you will have no effect.
So you are fully unable to use LOAD DATA LOCAL INFILE.
That's because of \ext\pdo_mysql\mysql_driver.c
LINES 626 to 633
#if PHP_API_VERSION < 20100412
		if ((PG(open_basedir) && PG(open_basedir)[0] != '\0') || PG(safe_mode))
#else
		if (PG(open_basedir) && PG(open_basedir)[0] != '\0') 
#endif
		{
			local_infile = 0;
		}
as you can see, you will always fail in production enviroments
no check if loaded file inside base dir just fail.
That's bad!!


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-14 15:20 UTC] johannes@php.net
-Assigned To: +Assigned To: mysql
 [2014-10-14 15:20 UTC] johannes@php.net
With libmysql we can't check the path. As soon as the feature is enabled the server can request any file it likes (Client sends SQL to server, the server parses it and requests the file, the client doesn't know SQL) therefore on PHP versions using libmysql we can't check the path.

With mysqlnd this is different, there we can check the path. Andrey do you have any thoughts on this? Any issues if we make this check less strict?

Security-wise "interesting" might be if a malicious server requests php://input or such.
 [2015-02-03 20:14 UTC] phpbugs2012 at joern dot heissler dot de
See also related https://bugs.php.net/bug.php?id=62889
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Mar 28 19:01:48 2017 UTC